- Java serialization has garnered several years' worth of security exploits and 0-day attacks. We discuss the current state of the technology and what can be done to protect against serialization flaws.
- Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. In this tutorial we will learn about Serialization in core java.
- The intended package-level documentation for package java.io in JDK 11 will also provide links to the following additional references (but likely to be JDK 11-based references): Java Object Serialization Specification (JDK 10 link) Serial Filtering best practices (JDK 10 link) serialver tool (JDK 10 link).
- 119 videos Play all Java Essential Training Tutorials Point (India) Pvt. Scrum vs Kanban - Two Agile Teams Go Head-to-Head + FREE CHEAT SHEET - Duration: 17:17. Development That Pays 221,285.
This tutorial provides the explanation on serialization in Java with the example. It provides the complete tutorial on Serialization in java and also covers all Java serialization interview questions and answers.
- Java Tutorial
- Java Object Oriented
- Java Advanced
- Java Useful Resources
- Selected Reading
Java provides a mechanism, called object serialization where an object can be represented as a sequence of bytes that includes the object's data as well as information about the object's type and the types of data stored in the object.
After a serialized object has been written into a file, it can be read from the file and deserialized that is, the type information and bytes that represent the object and its data can be used to recreate the object in memory.
Most impressive is that the entire process is JVM independent, meaning an object can be serialized on one platform and deserialized on an entirely different platform.
Classes ObjectInputStream and ObjectOutputStream are high-level streams that contain the methods for serializing and deserializing an object.
The ObjectOutputStream class contains many write methods for writing various data types, but one method in particular stands out −
The above method serializes an Object and sends it to the output stream. Similarly, the ObjectInputStream class contains the following method for deserializing an object −
This method retrieves the next Object out of the stream and deserializes it. The return value is Object, so you will need to cast it to its appropriate data type.
To demonstrate how serialization works in Java, I am going to use the Employee class that we discussed early on in the book. Suppose that we have the following Employee class, which implements the Serializable interface −
Example
Notice that for a class to be serialized successfully, two conditions must be met −
- The class must implement the java.io.Serializable interface.
- All of the fields in the class must be serializable. If a field is not serializable, it must be marked transient.
If you are curious to know if a Java Standard Class is serializable or not, check the documentation for the class. The test is simple: If the class implements java.io.Serializable, then it is serializable; otherwise, it's not.
Serializing an Object
The ObjectOutputStream class is used to serialize an Object. The following SerializeDemo program instantiates an Employee object and serializes it to a file.
When the program is done executing, a file named employee.ser is created. The program does not generate any output, but study the code and try to determine what the program is doing.
Note − When serializing an object to a file, the standard convention in Java is to give the file a .ser extension.
Example
Deserializing an Object
The following DeserializeDemo program deserializes the Employee object created in the SerializeDemo program. Study the program and try to determine its output −
Example
This will produce the following result −
Java Versions
Output
Here are following important points to be noted −
Free Java 11
- The try/catch block tries to catch a ClassNotFoundException, which is declared by the readObject() method. For a JVM to be able to deserialize an object, it must be able to find the bytecode for the class. If the JVM can't find a class during the deserialization of an object, it throws a ClassNotFoundException.
- Notice that the return value of readObject() is cast to an Employee reference.
- The value of the SSN field was 11122333 when the object was serialized, but because the field is transient, this value was not sent to the output stream. The SSN field of the deserialized Employee object is 0.